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Communicate only when necessary: 
Cooperative tasking for multi-agent systems 

Mohammad Karimadini, and Hai Lin 

Abstract 

New advances in large scale distributed systems have amazingly offered complex functionalities 
through parallelism of simple and rudimentary components. The key issue in cooperative control of 
multi-agent systems is the synthesis of local control and interaction rules among the agents such that 
the entire controlled system achieves a desired global behavior. For this purpose, three fundamental 
problems have to be addressed: (1) task decomposition for top-down design, such that the fulfillment of 
local tasks guarantees the satisfaction of the global task, by the team; (2) fault-tolerant top-down design, 
such that the global task remain decomposable and achievable, in spite of some failures, and (3) design of 
interactions among agents to make an undecomposable task decomposable and achievable in a top-down 
framework. The first two problems have been addressed in our previous works, by identifying necessary 
and sufficient conditions for task automaton decomposition, and fault-tolerant task decomposability, 
based on decision making on the orders and selections of transitions, interleaving of synchronized strings 
and determinism of bisimulation quotient of local task automata. This paper deals with the third problem 
and proposes a procedure to redistribute the events among agents in order to enforce decomposability of 
an undecomposable task automaton. The decomposability conditions are used to identify the root causes 
of undecomposability which are found to be due to over-communications that have to be deleted, while 
respecting the fault-tolerant decomposability conditions; or because of the lack of communications 
that require new sharing of events, while considering new violations of decomposability conditions. 
This result provides a sufficient condition to make any undecomposable deterministic task automaton 
decomposable in order to facilitate cooperative tasking. Illustrative examples are presented to show the 
concept of task automaton decomposabiUzation. 
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I. INTRODUCTION 

With new advances in technology and emergence of large scale complex systems d, 0, there 
is an ever-increasing demand for cooperative control of distributed systems with sophisticated 
specifications [Sj, SI, [[5]|, |l6l which impose new challenges that fall beyond the traditional 
methods |I3, jHl, |l9l, Conventional approaches either consider the team of agents as a 
monolithic plant to be controlled by a centralized unit, or design and iteratively adjust local 
controllers, in a bottom-up structure, to generate a behavior closed to a desired global behavior. 
Although the latter approache offers more flexibility, scalability and functionality with lower 
cost, due to local actuation and communications of agents [fTOll . [[TT|. [[T2l|. they fail to guarantee 
a given global specification [13J. For this purpose, top-down cooperative control aims at formal 
design of local controllers in order to collectively achieve the global specification, by design 

To address the top-down cooperative control, three fundamental questions are evoked: The first 
question is the task decomposition problem that is interested in understanding of whether all tasks 
are decomposable, and if not, what are the conditions for task decomposability. It furthermore 
asks that if the task is decomposable and local controllers are designed to satisfy local tasks, 
whether the whole closed loop system satisfies the global specification. Subsequently, the second 
question refers to the cooperative control under event failures, and would like to know if after 
the task decomposition and local controller designs for global satisfaction, some events fail in 
some agents, then whether the task still remains decomposable and globally satisfied, in spite of 
event failures. As another follow-up direction, the third question investigates the way to make an 
undecomposable task decomposable through modification of local agents in order to accomplish 
the proposed cooperative control. 

For cooperative control of logical behaviors [fT6l . represented in automata ifTTl . ifTSl . the first 
question (task decomposability for cooperative tasking) was addressed in our previous work 
|fT9l , by decomposing a given global task automaton into two local task automata such that 
their parallel composition bisimulates the original task automaton. By using the notion of shared 
events, instead of common events and incorporating the concept of global decision making on the 
orders and selections between the transitions, the decomposability result was generalized in EOl 
to an arbitrary finite number of agents. Given a deterministic task automaton, and a set of local 



event sets, necessary and sufficient conditions were identified for task automaton decompos ability 
based on decision making on the orders and selections of transitions, interleaving of synchronized 
strings and determinism of bisimulation quotient of local automata. It was also proven that the 
fulfillment of local task automata guarantees the satisfaction of the global specification, by design. 

The second question, cooperative tasking under event failure, was investigated in [21], by 
introducing a notion of passive events to transform the fault-tolerant task decomposability prob- 
lem to the standard automaton decomposability problem in EOl . The passivity was found to 
reflect the redundancy of communication links, based on which the necessary and sufficient 
conditions have been then introduced under which a previously decomposable task automaton 
remains decomposable and achievable, in spite of events failures. The conditions ensure that 
after passive failures, the team of agents maintains its capability for global decision making on 
the orders and selections between transitions; no illegal behavior is allowed by the team (no 
new string emerges in the interleavings of local strings) and no legal behavior is disabled by 
the team (any string in the global task automaton appears in the parallel composition of local 
automata). These conditions interestingly guarantee the team of agents to still satisfy its global 
specification, even if some local agents fail to maintain their local specifications. 

This paper deals with the third question to investigate how to make undecomposable task 
automata decomposable in order for cooperative tasking of multi-agent systems. For a global 
task automaton that is not decomposable with respect to given local event sets, the problem 
is particularly interested in finding a way to modify the local task automata such that their 
parallel composition bisimulates the original global task automaton, to guarantee its satisfaction 
by fulfilling the local task automata. 

Decomposition of different formalisms of logical specification have been reported in the 
literature. Examples of such methods can be seen for decomposition of a specification given 
in CSP [Ea, decomposition of a LOTOS GS, EH, [ga and decomposition of petri nets [26], 
ll27l . The problem of automaton decomposabilization has been also studies in computer science 
literature. For example, [|28l characterized the conditions for decomposition of asynchronous 
automata in the sense of isomorphism based on the maximal cliques of the dependency graph. 
The isomorphism equivalence used in [28] is however a strong condition, in the sense that 
two isomorphic automata are bisimilar but not vise versa ifTTl . Moreover, [28] considers a set 
of events to be attributed to a number of agents, with no predefinition of local event sets. 



While event attribution is suitable for parallel computing and synthesis problems in computer 
science, control applications typically deal with parallel distributed plants ||29l whose events are 
predefined by the set of sensors, actuators and communication links across the agents. Therefore, 
it would be advantageous to find a way to make an undecompo sable automaton decomposable 
with respect to predefined local event sets, by modifying local task automata. Since the global task 
automaton is fixed, one way to modify the local task automata is through the modification in local 
event sets, which is the main theme of this paper. Another related work is [|30l that proposes 
a method for automaton decomposabilization by adding synchronization events such that the 
parallel composition of local automata is observably bisimilar to the original automaton. The 
approach in [30], however, allows to add synchronization events to the event set that will enlarge 
the size of global event set. Our work deals with those applications with fixed global event sets 
and predefined distribution of events among local agents, where enforcing the decompos ability 
is not allowed by adding the new synchronization events, but instead by redistribution of the 
existing events among the agents. 

For this purpose, we propose an algorithm that uses previous results on task decomposition 
lfT9l . [|20ll to identify and overcome dissatisfaction of each decomposability condition. The 
algorithm first removes all redundant communication links using the fault-tolerant result [21 J. 
As a result, any violation of decomposability conditions, remained after this stage, is not due 
to redundant communication links, and hence cannot be removed by means of link deletions. 
Instead, the algorithm proceeds by establishing new communication links to provide enough 
information to facilitate the task automaton decomposition. Since each new communication link 
may overcome several violations of decomposability conditions, the algorithm may offer different 
options for link addition, leading to the question of optimal decomposability with minimum 
number of communication links. It is found that if link additions impose no new violations 
of decomposability conditions, then it is possible to make the automaton decomposable with 
minimum number of links. However, it is furthermore shown that, in general, addition of new 
communication links may introduce new violations of decomposability conditions that in turn 
require establishing new communication links. In such cases, the optimal path depends on the 
structure of the automaton and requires a dynamic exhaustive search to find the sequence of link 
additions with minimum number of links. Therefore, in case of new violations, a simple sufficient 
condition is proposed to provide a feasible suboptimal solution to enforce the decomposability. 



without checking of decompos ability conditions after each link addition. This approach can 
decompose any deterministic task automaton, after which, according to the previous results, 
designing local controllers such that local specification are satisfied, guarantees the fulfillment 
of the global specification, by design. 

The rest of the paper is organized as follows. Preliminary lemmas, notations, definitions and 
problem formulation are represented in Section UIl This section also establishes the links to pre- 
vious works on task automaton decomposition and fault-tolerant decomposition results. Section 
Uni proposes an algorithm to make any undecompo sable deterministic automaton decomposable 
by modifying its local event sets. Illustrative examples are also given to elaborate the concept of 
task automaton decompos abilization. Finally, the paper concludes with remarks and discussions 
in Section |Wl Proofs of the lemmas are readily given in the Appendix. 

II. PROBLEM FORMULATION 

A. Definitions and notations 

We first recall the definitions and notations used in this paper. 

A deterministic automaton is a tuple A := {Q,qo, E,6) consisting of a set of states Q; 
an initial state qq E Q; a set of events E that causes transitions between the states, and a 
transition relation S C Q x E x Q, with partial map S : Q x E ^ Q, such that (g, e, q') E S 
if and only if state q is transited to state q' by event e, denoted by g A g' (or 6{q, e) = q'). 
A nondeterministic automaton is a tuple A := {Q, go, E, 5) with a partial transition map 5 : 
Q X E 2'^ , and if hidden transitions (er-moves) are also possible, then a nondeterministic 
automaton with hidden moves is defined as A := (Q, go, U {e}, 5) with a partial map 5 : 
Q X (EU {e}) —7- 2*5. For a nondeterministic automaton the initial state can be generally from a 
set Qo C Q. Given a nondeterministic automaton A, with hidden moves, the e-closure of q E Q, 
denoted by e\{q) C Q, is recursively defined as: g E e^il)'^ l' ^ ^a(?) ^ ^il'^^) ^ 
The transition relation can be extended to a finite string of events, s E E*, where E* stands for 
Kleene— Closure of E (the set of all finite strings over elements of E). For an automaton without 
hidden moves, e\{q) = {g}, and the transition on string is inductively defined as 5{q,e) = q 
(empty move or silent transition), and 5{q,se) = 5{5{q,s),e) for s E E* and e E E. For 
an automaton A, with hidden moves, the extension of transition relation on string, denoted by 



6 : Q X E* 2^, is inductively defined as: \fq e Q,s e E*,e G E: 6{q,e) := and 



The operator Ac{.) [[TtI is then defined by excluding the states and their attached transitions 
that are not reachable from the initial state as Ac{A) = {Qac, Qo, E, Sac) with Qac = {q E Q\3s E 
E*, q e 6{qo, s)} and 6ac = 5\Qac x E — > Q^c, restricting 6 to the smaller domain of Qac- Since 
Ac{.) has no effect on the behavior of the automaton, from now on we take A = Ac{A). 

We focus on deterministic global task automata that are simpler to be characterized, and cover 
a wide class of specifications. The qualitative behavior of a deterministic system is described by 
the set of all possible sequences of events starting from the initial state. Each such a sequence is 
called a string, and the collection of strings represents the language generated by the automaton, 
denoted by L(A). The existence of a transition over a string s E E* from a state q E Q is 
denoted by 6{q, s)\. Considering a language L, by 5{q, L)\ we mean that Wu E L : 5{q, uj)\. For 
e E E, s E E*, e E s means that 3ti, ^2 E E* such that s = tiet2. In this sense, the intersection 
of two strings Si,S2 E E* is defined as si f] S2 = {e\e E Si A e E S2}. Likewise, Si\s2 is 
defined as Si\s2 = {e|e G si,e ^ 52}- For si,S2 E E*, si is called a sub-string of S2, denoted 
by si ^ S2, when 3t E E*, S2 = sit. Two events ei and 62 are called successive events if 
3q E Q : 6{q, Ci)! A S{6{q, Ci), 62)! or 6{q, 62)! A S{6{q, 62), Ci)!. Two events ei and 62 are called 
adjacent events if 3q E Q : 6{q, ei)! A 5{q, 62)!. 

To compare the task automaton and its decomposed automata, we use the bisimulation rela- 
tions. Consider two automata Ai = {Qi, E, 5i), i = 1,2. A relation R C x Q2 is said to 
be a simulation relation from Ai to A2 if iqi,q2) E R, and V(gi,g2) E R,6i{qi,e) = q[, then 
G Q2 such that 52{q2, e) = q'2, {q'l, q'2) E R.lf R is defined for all states and all events in Ai, 
then Ai is said to be similar to A2 (or A2 simulates Ai), denoted by Ai ~< A2 lITTll . If Ai -< A2, 
A2 ^ Ai, with a symmetric relation, then Ai and A2 are said to be bisimilar (bisimulate each 
other), denoted by Ai = yl2 [31]. In general, bisimilarity implies languages equivalence but the 
converse does not necessarily hold [f32l . 

In these works natural projection is used to obtain local tasks, as local perspective of agents 
from the global task. Consider a global event set E and its local event sets Ei, i = 1,2, ...,n, 

n 

with E = U Ei. Then, the natural projection pi : E* ^ E* is inductively defined as Pi{e) = e. 




1=1 



Pi{s)e if e G Ei; 

and Ms ^ E*,e & E : Pi[se) = Accordingly, inverse natural projection 

Pi{s) otherwise. 

Pi'^ : E* 2^* is defined on an string t G E* as pi^{t) := {s G E*\pi{s) = t}. 

The natural projection is also defined on automata as Pi : A ^ A, where, A is the set 
of finite automata and Pi{As) are obtained from As hy replacing its events that belong to 
E\Ei by e-moves, and then, merging the ^-related states. The ^-related states form equivalent 
classes defined as follows. Consider an automaton As = {Q, qo, E, 5) and a local event set 
Ei C E. Then, the relation is the equivalence relation on the set Q of states such that 
6{q,e) = q' A e ^ Ei =^ q q', and [g]^;- denotes the equivalence class of q defined on 
r^Ei- The set of equivalent classes of states over is denoted by Q/^j^, and defined as 
Q/'^E- ~ {[9]Ei\q £ Q} [28]. The natural projection of As into Ei is then formally defined as 
Pi{As) = {Qi = Q/^^^,[qo]E,,Ei,6i), with 6i{[q]E,,e) = [q']E, if there exist states qi and q[ 
such that qi r^E, q, q'l ^e, q' , and e) = q[. 

To investigate the interactions of transitions between automata, particularly between Pi{As), 
i = 1, . . . ,n, the synchronized product of languages is defined as follows. Consider a global 

n 

event set E and local event sets Ei, i = 1,. . . ,n, such that E = U Ei. For a finite set of 

i=l 

languages {Li C E'*}"^^, the synchronized product (language product) of {Li}, denoted by 

n n „ 

I Li, is defined as \ Li = {s e E*\\fi e {!,..., n} : Pi{s) G = n p~\Li) lfT4ll . 



i=l 



Then, parallel composition (synchronized product) is used to define the composition of local 
task automata to retrieve the global task automaton, and to model each local closed loop system 
by compositions of its local plant and local controller automata. Let Ai = (Qi, Ei, Si), i = 1,2 
be automata. The parallel composition (synchronous composition) of Ai and A2 is the automaton 

All 1^2 = (Q = QiX Q2,qo = (q1,q^),E = U ^2 , 5) , with 5 defined as V(gi,g2) EQ,eE E: 
'^((gi,g2),e) = 

5i(gi,e)!, 52(^2, e)! 
e G -El n ^2 
(5i(qi, e), 52) , if 5i(qi, e)\, e G ^i\^2; 

(gi, 52(^2, e)) , if 52(^2, e)!, e G E2\Ei; 

undefined, otherwise. 
The parallel composition of Ai, i = 1, 2, n is called parallel distributed system (or concur- 
rent system), and is defined based on the associativity property of parallel composition [fTTl as 



(6i{qi,e),62{q2,e)) , if 



II A, = II ... II A„ = An II II (■ ■ ■ II (^2 II Al))). 

4=1 

The set of labels of local event sets containing an event e is called the set of locations of e, 
denoted by /oc(e) and is defined as loc{e) = {i G {1, . . . ,n}|e G -Ej}. 

Based on these definitions, a task automaton As with event set E and local event sets Ei, 

n 

i = 1, ...,n, E = U Ei, is said to be decomposable with respect to parallel composition and 

n 

natural projections Pj, z = 1, ■ ■ ■ , n, when || Pj (As) = As. 

i=l 

B. Problem formulation 

In [fT9l . we have shown that not all automata are decomposable with respect to parallel 
composition and natural projections, and subsequently necessary and sufficient conditions were 
proposed for decomposability of a task automaton with respect to parallel composition and 
natural projections into two local event sets. These necessary and sufficient conditions were then 
generalized to an arbitrary finite number of agents, in [|20l , as 

Lemma 1: (Corollary 1 in EOl ) A deterministic automaton As = ^^,qo,E = jj Ei,S^ is 
decomposable with respect to parallel composition and natural projections Pj, i = 1, ...,n such 

n 

that As = 1 1 Pj (As) if and only if As satisfies the following decomposability conditions (DC): 
. DCl: Vei, 62 G g G g: [5(g, ci)! A (5(g, es)!] 

^ [3E, G {El, . . . , En}, {ei, 62} C E^] V [5{q, 6,62)1 A 6261)!]; 
. DC2: ^61,62 e E,q E Q, s e E*: [S{q, CiCas)! V S{q, eaCis)!] 

^ [3Ei G {^1, . . . , Er,}, {ei, 62} C Ei] V [(5(g, 61625)! A S{q, 6261s)!]; 
. DC3: 6{qo, \ Pi{si))\, V{si,--- , s„} G ^(^5), 3si, s^- G {si,--- , 7^ s^, where, 

L (A5) C L (As) is the largest subset of L (As) such that Vs G L (A5) 3s' G L (As) , 3Ei, Ej G 

{El, En} , i ^ j,PE,nE, (s) and pE,nE, (s') start with the same event, and 
• DCA: Vi G {1, n}, x, Xi,X2 G Qi, Xi ^ X2, 6 e Ei, t G E*, 5i{x, 6) = Xi, 5i{x, 6) = X2: 

Si{xi,t)\ ^ 6i{x2,t)\. 

The first two decomposability conditions require the team to be capable of decision on 
choice/order of events, by which for any such decision there exists at least one agent that 
knows both events, or the decision is not important. Moreover, the third and fourth conditions, 
guarantee that the cooperative perspective of agents from the tasks (parallel composition of local 
task automata) neither allows a string that is prohibited by the global task automaton, nor disables 
a string that is allowed in the global task automaton. 



It was furthermore shown that once the task automaton is decomposed into local task automata 
and local controllers are designed for local plants to satisfy the local specifications, then the global 
specification is guaranteed, by design. 

The next question was the reliability of task decomposability to understand whether a pre- 
viously decomposable and achievable global task automaton, can still remain decomposable 
and achievable by the team, after experiencing some event failures. For this purpose, in [21 J, 
a class of failures was investigated as follows to defined a notion of passivity. Consider an 
automaton A = (Q, qq, E, 5). An event e E E is said to be failed in A (or E), if F(A) = 
Pj:{A) = PE\e{A) = {Q,qo,^ = E\e,6^), where, S, 6^ and F{A) denote the post-failure 
event set, post-failure transition relation and post-failure automaton, respectively. A set E C E 
of events is then said to be failed in A, when for Ve G -E, e is failed in A, i.e., F{A) = 
-Ps(^i) = = (Q,?o,S = E\E,S^). Considering a parallel distributed plant A : = 

n „ 

1 1 = (Z, zo,E= U Ei, 5\\) with local agents Ai = {Qi, q^, Ei, 5,), i = 1, . . . ,n. Failure of e 

1=1 «=i 

" n 

in Ei is said to be passive in Ei (or Ai) with respect to || Ai, if E = U Sj. An event whose 

i=i »=i 
failure in Ai is a passive failure is called a passive event in Ai. 

The passivity was found to reflect the redundancy of communication links and shown to 

be a necessary condition for preserving the automaton decomposability. It was furthermore 

shown that when all failed events are passive in the corresponding local event sets, the problem 

of decomposability under event failure can be transformed into the standard decomposability 

n 

problem to find the conditions under which As = \\ Pg;-^^. (A^), as follows. 

i=l 

Lemma 2: (Theorem 1 in f2l\) Consider a deterministic task automaton As = {Q, go, E = 

n " 

U Ei, S). Assume that As is decomposable, i.e.. As = \\ Pi{As), and furthermore, assume that 

«=i _ i=i 

Ei = {ai,r} fail in Ei, r G {1, rij}, and Ei are passive for z G {1, . . . , n}. Then, As remains 

n 

decomposable, in spite of event failures, i.e.. As = \\ F[Pi {As)) if and only if 

i=l 

. EFl: Vei, 62 G g G Q: [5{q, d)! A 5{q, 62)!] 

^ G {El, ■ ■ ■ , En}, {ei, 62} C E,\E:] V [5{q, 6163)! A 5{q, 6261)!]; 
. EF2: ^61,62 E E,q e Q, s E E*: [5{q, eie2s)\ V 5{q, 62615)!] 

^ [^Ei E {El, ■■■ , En}, {61, 62} C Ei\Ei] V [5{q, 6162s)! A 5{q, 6261s)!]; 

n 

. EF?>: 6{qo, \ Pi{si))\, V{si,--- , s„} G L{As), ^Si,Sj E {si, ■ ■ ■ ,Sn}, Si ^ Sj, where, 

i=l 

L (As) C L (As) is the largest subset of L (As) such that Vs G L (As) ,3s' E L (As) , 3Si, 



T.j e {Si, T^n} ,i 7^ J,PE,nEj (s) and ps^ns^ (s') start with the same event, and 
. EFA: Vz G x,Xi,a;2 G Qj, Xi ^ X2, e e Ei\Ei, ti,t2 e E*, 6i{x,tie) = Xi, 

Si{x,t2e) = X2. 5i(a;i,t;)! <^ 5^(0:2,^2)!' for some t\, t'^ such that Pe,\eX^'i) = Pe,\eX^'2)- 
EFl-EFA are respectively the decompos ability conditions DCl-DCA, after event failures 

with respect to parallel composition and natural projections into refined local event sets = 

Ei\Ei, i G {1, . . . , n}, provided passivity of ^j, i G {1, . . . , n}. 

In this paper we are interested in the case that a task automaton is not decomposable and would 

like to ask whether it is possible to make it decomposable, and if so, whether the automaton 

can be made decomposable with minimum number of communication links. This problem is 

formally stated as 

n 

Problem 1: Consider a deterministic task automaton As with event set £" = U Ei for n 

i=l 

agents with local event sets E^, i = 1, . . . , n. If ^5 is not decomposable, can we modify the 
sets of private and shared events between local event sets such that As becomes decomposable 
with respect to parallel composition and natural projections Pi, with the minimum number of 
communication links? 

One trivial way to make an automaton A decomposable, is to share all events among all 
agents, i.e., Ei = E, \fi = 1, . . . , n. This method , however, is equivalent to centralized control. 
In general, in distributed large scale systems, one of the objectives is to sustain the systems 
functionalities over as few number of communication links as possible, as will be addressed in 
the next section. 

III. TASK AUTOMATON DECOMPOSABILIZATION 

A. Motivating Examples 

This section is devoted to Problem[i|and proposes an approach to redefine the set of private and 
shared events among agents in order to make an undecomposable task automaton decomposable. 
For more elaboration, let us to start with a motivating examples. 

Example 1: Consider two sequential belt conveyors feeding a bin, as depicted in Figure [TJ To 
avoid the overaccumulation of materials on Belt B, when the bin needs to be charged, at first 
Belt B and then (after a few seconds). Belt A should be started. After filling the bin, to stop the 
charge, first Belt A and then after a few seconds Belt B is stopped to get completely emptied. 
The global task automaton, showing the order of events in this plant, is shown in Figure [2l 
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Fig. 1. The process of two belt conveyors charging a bin. 

A . Bstart BinpuH Bstop 

As- 

/^^ Astart Agtop ^ 

BiriEmpty 

Fig. 2. Global task automaton for belt conveyors and bin. 

The local event sets for Belt A and Belt B are Ea = {Astart^ Binpuu, Astop} and Eb = 
{Bstart, Bstop, BiuEmpty}, respectively, with Astart-= Bek A start; BinFuii-= Bin full; Astop-= 
Belt A stop and wait for 10 Seconds; Bstart'= Belt B start and wait for 10 Seconds; Bstop'-= 
Belt B stop, and BiuEmpty'- Bin empty. 

The task automaton is not decomposable with respect to parallel composition and natural pro- 
jection Pi, i e {A, B}, due to violation of DC by successive private event pairs {Bstart, Astart} 
and {Astop,Bstap}- To make As decomposable, {Bstart V Astart) A {Astop V Bstop) should 
become common between Ea and Eb- Therefore, four options are possible: (Bstart A Bstop), 
{Bstart A Astop), (Astart A Bstop), or (Astart A Astop) bccomc common. In each of these op- 
tions two private events should become common, and hence, all four options are equivalent 
in the sense of optimality. Consider for example Astart and Astop to become common. In 
this case the new local event sets are formed as Ea = {Astart, BinpuU, Astop} and Eb = 
{Bstart, Bstop, BinEmpty, Astart, Astop}- The automaton As will then become decomposable (i.e., 
Pa(As) \\Pb(As) = As) with the new local event sets with the corresponding local task automata 
as are shown in Figure [3l 

In this example, different sets of private events can be chosen to make As decomposable. 
All of these sets have the same cardinality, and hence, no optimality is arisen in this example. 
Next example shows a case with different choices of private event sets to be shared, suggesting 



PA(Asy. ^ . . . , Pb(As) 

1 ) 

^Stop 

Fig. 3. Local task automata for belt conveyors, with Ea ~ {Astart, Binpuii, Astop} and Eb = 

{Bstart, Bstop, BiUEmpty, Astart, Astop}- 

optimal decomposition by choosing the set with the minimum cardinality. 

Example 2: Consider two local event sets Ei = {ci, 63} and E2 = {^2}, with the global task 
automaton ^ « '^^ . « '^^ . « . This automaton is undecomposable due to violation of 




DC by 62 G E2\Ei and {61,63} G Ei\E2. To make it decomposable, one event among the 
set {61,62} and another event among the set {62,63} (either {62} or {61,63}) should become 
common. Therefore, in order for optimal decomposabilization, {62} is chosen to become common 
due to its minimum cardinality. It is obvious that in this case only one event should become 
common while if {61, 63} was chosen, then two events were required to be shared. 

Motivated by these examples, the core idea in our decompozabilization approach is to first 
check the decomposability of a given task automaton Ag, by Lemma [B and if it is not decom- 
posable, i.e., either of DCl-DCA is violated then the proposed method is intended to make As 
decomposable, by eradicating the reasons of dissatisfying of decomposability conditions. We will 
show that violation of decomposability conditions, can be rooted from two different sources: it 
can be because of over-communication among agents, that may lead to violation of DCS or/and 
DC4:, or due to lack of communication, that may lead to violation of DCl, DC2, DCS or/and 
DCA. Accordingly, decomposability can be enforced using two methods of link deletion and link 
addition, subjected to the type of undecompos ability. Considering link deletion as an intentional 
event failure, according to Lemma [21 a link can be deleted only if it is passive and its deletion 
respects EFl-EA. On the other hand, the second method of enforcing of decomposability, i.e., 
establishing new communication links, may result in new violations of DCS or _DC4, that should 
be treated, subsequently. 

In order to proceed the approach, we firstly introduce four basic definitions to detect the 
components that contribute in violation of each decomposability condition and then propose basic 
lemmas through which the communication links, and hence the local event sets are modified to 
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resolve the violations of decomposability conditions. 

B. Enforcing DCl and DC2 

This part deals with enforcing of DCl and DC2. For this purpose, the set of events that 
violate DCl or DC2 is defined as follows. 

Definition 1: (DC1&2- Violating set) Consider the global task automaton As with local event 

n 

sets Ei for n agents such that E = U Ei. Then, the DC 1&2- Violating set operator V : As ^ 

i=l 

E X E, indicates the set of event pairs that violate DCl or DC2 (violating pairs), and is 
defined as V{As) := {{ei, Csjlei, ea G E,\/Ei e {Ei, E^}, {61,62} Ei,3q e Q such that 
S{q, 6i)\A6{q, e2)!A^[5(g, 6i62)\AS{q, 6261)!] or 6162^)! ^ S{q, e2eis)!]}, for some s E E*. 

Moreover, W : As ^ E is defined as ^^(^5) := {e G -E|3e' G E such that {e,e'} G ^(^5)}, 
and shows the set of events that contribute in V{As) (violating events). For a particular event e 
and a specific local event set Ei G {Ei, . . . , En}, We{As, Ei) is defined as We{As, Ei) = {e' G 
Ei\{6,6'} G V{As)}. This set captures the collection of events from Ei that pair up with e to 
contribute in violation of DCl or DC2. The cardinality of this set will serve as an index for 
optimal addition of communication links to make V{As) empty. 

This definition suggests a way to remove a pair of events {61,62} from V{As), by sharing 
61 with one of the agents in 100(62) or by sharing 62 with one of the agents in /oc(6i). Once 
there exist an agent that knows both event, /oe(6i) fl 100(62) becomes nonempty and 61 and 62 
no longer contribute in violation of DCl or DC2 since [3Ei G {Ei, . . . ,En}, {61,62} C E^] 
becomes true for 61 and 62 in Lemma [U Therefore, 

Lemma 3: The set V(As) becomes empty, if for any {o, 6'} G V(As), 6 is included in E^ for 
some i G loo(6'), or 6' is included in Ej for some j G loo(6). In this case, {6, Ei} or {6', Ej} is 
called a Z}Cl&2-enforcing pair for Z}Cl&2-violating pair {6,6'}. 

Example 3: In Example [21 V(As) = {{61,62}, {62,63}}, W(As) = {61,62,63}. Including 62 
in El vanishes V(As) and makes As decomposable. 

However, applying Lemma [3] may offer different options for event sharing, since pairs in 
V(As) may share some events. In this case, the minimum number of event conversions would 
be obtained by forming a set of events that are most frequently shared between the violating 
pairs. This gives the minimum cardinality for the set of private events to be shared, leading to 
minimum number of added communication links. Such choice of events offers a set of events 



that span all violating pairs. These pairs are captured by We{As, Ei) for any event e. In order to 
minimize the number of added communication links for vanishing V{As), one needs to maximize 
the number of deletions of pairs from V{Ag) per any link addition. For this purpose, for any 
event e, We{As, Ei) is formed to understand the frequency of appearance of e in V{As) for 
any E^, and then, the event set E^ with maximum | We(^s'5 -E'j) | is chosen to include e (Here, 
|.| denotes the set's cardinality). In this case, inclusion of e in Ei will delete as many pairs as 
possible from V{As). 

Interestingly, these operators can be represented using graph theory as follows. A graph G = 
{W, E) consists of a node set W and an edge set S, where an edge is an unordered pair of 
distinct vertices. Two nodes are said to be adjacent if they are connected through an edge, and 
an edge is said to be incident to a node if they are connected. The valency of a node is then 
defined as the number of its incident edges [|33il . Now, since we are interested in removing the 
violating pairs by making one of their events to be shared, it is possible to consider the violating 
events as nodes of a graph such that two nodes are adjacent in this graph when they form a 
violating pair. This graph is formally defined as follows. 

Definition 2: (DCl&2-Violating Graph) Consider a deterministic automaton As- The DClk,2- 
Violating graph, corresponding to V{As), is a graph G{As) = {W{As),T.). Two nodes ei and 
62 are adjacent in this graph when {61,62} G V{As). 

In this formulation, the valency of each node e with respect to a local event set i^j G {Ei, . . . , E^} 
is determined by val{e, Ei) = \We{As, Ei)\. When e is included into Ei, it means that all 
violating pairs containing e and events from Ei are removed from V{As), and equivalently, all 
corresponding incident edges are removed from G(As). For this purpose, following algorithm 
finds the set with the minimum number of private events to be shared, in order to satisfy DGl 
and DC2. The algorithm is accomplished on graph G{As), by finding e and Ei with maximum 
|iye(y45, i^j)! and including e in Ei, deleting all edges from e to Ei, updating W{As), and 
continuing until there is not more edges in G{As) to be deleted. 
Algorithm 1: 

1) For a deterministic automaton As, with local event sets Ei, i = 1, . . . ,n, violating DCl or 
DG2, form the DC 1&2- Violating graph ; set E° = Ei, i = 1, . . . ,n; V^Ag) = V{As); 
W%As) = WiAs); G%As) = (WiAs),!:); k=l; 

2) Among all events in the nodes in W^~^{As), find e with the maximum \ Wl:~^{As, E^~^)\, 



3) = E^^^ U {e}; and delete all edges from e to E^; 

4) update W^{As,E.-^ for all nodes of G{As); 

5) set /c = + 1 and go to step (2); 

6) continue, until there exist no edges. 

This algorithm successfully terminates due to finite set of edges and nodes in the graph G{As) 
and enforces As to satisfy DC\ and DC2 as 

Lemma 4: Algorithm [U leads As to satisfy DCl and DC2 with minimum addition of com- 
munication links. Moreover if As satisfies -DC3 and DCA and E^ = Ef^^ U {e} in Step 3 does 
not violate DCS and DCA in all iterations, then Algorithm \T\ makes As decomposable with 
minimum addition of communication links. 

Proof: See the Appendix for proof. ■ 

Remark 1: (Special case: Two agents) For the case of two agents, since they are only two 
local event sets, for all {e, e'} G V{As), e and e' are from different local event sets, and hence, 
for n = 2, \We{As, Ei)\ is equivalent to val(e), and addition of e into E^ in each step implies 
the deletion of all incident edges of e. 

Remark 2: Although Algorithm [U leads As to satisfy DCl and DC2, it may cause new 
violations of DCS or/and DCA, due to establishing new communication links. 

Example 4: Consider a task automaton As'. 



63, 65} and E2 = {a, 6, 62, 64, 66 }. Both DCl and DC 2 are violated by event pair {ci, 62} when 
they require decision on a choice and a decision on their order from the initial state, while none of 
the agents knows both of them. To vanish V{As) = {{ci, 62}}, two enforcing pairs are suggested: 
{ci, E2} (ci to be included in E2) or {e2, Ei} (62 to be included in Ei). However, inclusion of ei 
in E2, cause a new violation of DCA since with new E2 = {a, b, ei, 62, 64, Cq}, P2{As) is obtained 
as P2{As): • ei ^ • - • ' violating DCA, due to new nondeterminism. 



for which 63 also is required to be included to E2 in order to make As decomposable. On the 
other hand, if instead of including ei in E2, one included 62 in Ei, then besides violation of 




with local event sets Ei = {a, b, ei, 
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DC4: (as there does not exists a deterministic automaton that bisimulates P2{As)), new violations 
of DCS emerged, as with new event set Ei = {0,6,61,62,63,65}, the parallel composition of 
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62 



produces string 61626465 that does not appear 

64 eg 



in As- To make As decomposable, we also need to include 61 and 63 in £'2- 
C. Enforcing DCS 

Lemma |3] proposes adding communication links to make DCl and DC2 satisfied. Next step 
is to deal with violations of DCS. In contrast to the cases for DCl and DC2, violation of DCS 
can be overcome either by disconnecting one of its communication links to prevent the illegal 
synchronization of strings, or by introducing new shared events to fix strings and avoid illegal 
interleavings. 

To handle violation of DCS, we firstly define the set of tuples that violate DCS as follows. 
Definition 3: {DCS — violating tuples) Consider a deterministic automaton As, satisfying 
DCl and DC2 and let L (As) C L (As) be the largest subset of L (As) such that Vs G 

L{As)3s' G L{As), 3E„Ej G {Ei, En} ,i 7^ j,PE,nE, (s) and pE^nE^ {s') start with the 

same event a E E^ D Ej. For any such E^, Ej and a, if 3{si, ■ ■ ■ , s„} G L (As), 3sj, Sj G 

{si, ■ ■ ■ , Sn}, Si 7^ Sj, Si, Sj G L (As), ~^S{qo, \ pi (sj))!, then a is called a DCS — violating 

1=1 

event with respect to si, S2, Ei and Ej, and {si, S2, a, Ei, Ej) is called a Z^CS-violating tuple. 
The set of all DCS — violating tuples is denoted by DCS — V and defined as DCS — V = 
{{si, S2, a, Ei, Ej)\e is a DC3-violating event with respect to si, S2, Ei and Ej }. 

Any violation in DCS can be interpreted in two ways: firstly, it can be seen as over-communication 
of shared event a that lead to synchronization of si and S2 in (si, S2, a, Ei, Ej) and emerging 
illegal interleaving strings from composition of Pi{As) and Pj{As). In this case, if event a 
is excluded from Ei or Ej, then a will no longer contribute in synchronization to generate 
illegal interleavings, and hence, (si, S2, a, Ei, Ej) will no longer remain a DC3-violating tuple. 
However, exclusion of a from Ei or Ej is allowed, only if it is passive (exclusion is considered as 
an intentional event failure) and does not violate EFl-EFA. The second interpretation reflects 
a violation of DCS as a lack of communication, such that if for any DCS violating tuple 



{si, S2,a, Ei, Ej), one event that appears before a in si or S2, is shared between Ej and Ej, 
then Pi{As) and Pj{As) will have enough information to distinguish si and S2 to prevent illegal 
interleaving of strings. Two methods for resolving the violation of DCS can be therefore stated 
as the following lemma. 

Lemma 5: Consider an automaton As, satisfying DCl and DC2. Then any DC3-violating 
tuple {si, S2, a, Ei, Ej) is overcome, when: 

1) a is excluded from Ei or Ej (eligible if it respects passivity and EFl-EFA), or 

2) if 3b E (Ei U Ej)\{Ei fl Ej) that appears before a in only one of si and S2, then h is 
included in Ei n Ej, otherwise, pick ei G Pe.ue, (si), 62 G Pe,ue,{s2), such that d 7^ 62, 
ei, 62 appear before a in si and S2, are included in Ei fl -Ej. 

To handle a violation of -DC3, when, b E Ei\Ej is to be included in Ej, then {b, Ej} is 
called a DC3-enforcing pair; while, when {61,62} C Ei\Ej has to be included in Ej, then 
{{61, 62}, -Ej} is denoted as -DC3-enforcing tuple. Finally, when 61 E Ei\Ej and 62 E Ej\Ei 
have to be included in Ej and Ei, respectively, then {{61, -Ej}, {62, -Ej}} is called a DC3- 
enforcing tuple. 

Proof: See the proof in the Appendix. ■ 
Remark 3: Applying the first method in Lemma |5l namely, exclusion of a from Ei or Ej in a 
-DC3-violating tuple (si, S2, a, Ei, Ej), is only allowed if a is passive in that local event set, and 
the exclusion does not violate EFl-EFA. The reason is that once a shared event a E EiH Ej 
becomes a private one in for example Ei, then decision makings on the order/selection between 
any e E Ei\a and a cannot be accomplished by the i — th agent, and if there is no other agent to 
do so, then As becomes undecomposable. Moreover, deletion of a communication link may also 
result in generation of new interleavings in the composition of local automata, that are not legal 
in As (violation of EF3). In addition, deletion of a from Ei may impose a nondeterminism in 
bisimulation quotient of Pi(As), leading to violation of EFA. On the other hand, the second 
method, namely, establishing new communication link by sharing b with Ei or Ej may lead to 
new violations of DCS or DCA that have to be avoided or resolved, subsequently. 

Both methods in Lemmas [5] present ways to resolve the violation of DCS. They differ however 
in the number of added communication links, as the first method deletes links, whereas the second 
approach adds communication links to enforce DCS. Therefore, in order to have as few number 
of links as possible among the agents, one should start with the link deletion method first, and 



if it is not successful due to violation of passivity or any of EFl-EFA, then link addition is 
used to remove violating tuples from £)C3 — V . 

Example 5: This example shows an undecomposable automaton that suffers from a conflict 
on a communication link whose existence violates whereas its deletion dissatisfies EFl, 

EF2 and EFA. 

Let snde{i) and rcve{i) respectively denote the set of labels that Ai sends e to those agents and 
the set of labels that Ai receives e from their agents, defined as snde{i) = {j G {1, n}\Ai sends 
e to Aj} and rcve{i) = {j G {1, ...,n}\i G snde{j)}. Consider the task automaton As'. 

with communication pattern 



ei 65 ei 



d 

ei 



63 



62 ^ _ ^ ei 



2 G snrfa,b,c,d(l), 1 ^ snda,b,cA^) ^nd local event sets Ei = {a,b, c, d, ei, 63, e^}, E2 
{a,b,c,d,e2}, leading to Pi{As): 
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As is not decomposable since two strings 6106263 and 6106362 are newly generated from the 
interleaving of strings in Pi{As) and P2{As), while they do not appear in As, and hence, DCi is 
not fulfilled, due to DC3-violating tuples (6162063, 062, a, i?i, £'2) and (6261O63, 062, o, E'l, £'2)- 
Now, as Lemma [51 one way to fix the violation of -DC3 is by excluding o from E2. However, 
although o is passive in E2, its exclusion from E2 dissatisfies EF1( as 5(^0562)! A S{qo,a)\ A 
-i[5(go, 620)! A 6{qo,ae2y.]) and EF2 (since 5(go, 61620)! A -i(5(go, 61062)!). In this case, DCA 



also will be violated as P2{As) becomes P2{As) = 




bisimulates no deterministic automaton. 

Lemma [5] also suggests another method to enforce DCS, by including either ei in E2 or 62 in 
El. Inclusion of ei in E2, however, leads to another violation of DC A, as it produces a nonde- 
terminism after event d. This in turn will need to include 65 in E2 to make As decomposable. 
Alternatively, instead of inclusion of ei in E2, one can include 62 in Ei, that enforces DCS 
and makes As decomposable. The second method of Lemma |5] is more elaborated in the next 
example. 

Example 6: This example shows handling of DC3-violating tuples using the second method 
in Lemma |5l i.e., by event sharing. Later on, this example will be also used to illustrate the 
enforcement of DCA. Now, consider a task automaton As'. »It»It»JL«-2-« with local 




63 ei a 64 

event sets Ei = {0,61,63,65} and E2 = {0,62,64,66}, and let three branches in As from top 
to bottom to be denoted as si := 616365062, S3 := ae^ and S2 := 656361064. This automaton 
does not satisfy DCA (as P2{As) has no deterministic bisimilar automaton), as well as DCS, as 
the parallel composition of Pi{As): » It » It » JL • and P2{As): • tt • have 
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illegal interleaving strings {616365065,656361062}, 616365O64 and 656361O64, corresponding to 
DC3-violating tuples {si, S2, a, Ei, E2), {si, s^, a, Ei, E2) and (s2, S3, a,Ei,E2), respectively. 

For pairs of strings {si, S3} and {s2, S3}, there exits an event 65 G {Ei U E2)\{Ei fl E2) that 
appears before o, only in si and S2, but not in S3. Therefore, inclusion of 65 in E2, removes 
the illegal interleavings between si and S2 with S3, but not across si and S2, as with new E2 = 



{a, 62, 64, 65, ee} and P2{As): , _1 • ^ • , (si, S3, a, Ei, E2) and (s2, S3, a, Ei, E2) are 

^ a eg 
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no longer DC3-violating tuples, while (si, S2, a, Ei, E2) still remains a DC3-violating one with 
illegal interleavings 616365064 and 656361062- The reason is that 65 appears before a in both 
Si and S2, and there is no event that appear before a only in one of the strings Si and S2. 
For this case, according to Lemma [5l two different events that appear before "a", one from 
PEiuEii^i) = Si and the other from PEiUE2is2) = S2, i.e., 61 and 65 have to be attached to E2, 
resulting in E2 = {0,61,62,64,65,66}, . It . ^ . ^ . and Pi{As)\\P2{As) = As. 

64 

D. Enforcing DC A 

Similar to DC1-DC3, a violation of DCA can be regarded as a lack of communication link 
that causes nondeterminism in a local task automaton. Such interpretation calls for establishing 
a new communication link to prevent the emergence of local nondeterminism. Moreover, when 
this local nondeterminism occurs on a shared event, the corresponding violation of DCA can be 
overcome by excluding the shared event from the respective local event set. It should be noted 
however that the event exclusion should respect the passivity and EFl-EFA conditions. When 
DCA is enforced by link additions, similar to what we discussed for addition of new 

communication link may cause new violations of DCS or/and DCA. To enforce DCA, firstly a 
L>C4-violating tuple is defined as follows. 

Definition 4: {DCA — violating tuple) Consider a deterministic automaton As with local 
event sets E^ = I, . . . ,n, \/i e q,qi,q2 G Q, ^1,^2 e {E\Ei)*, e G Ei, 6{q,tie) = 

^ 6{q,t2e) = q2, 3t G E*, 6{qi,t)\, but $t' G E* such that 6{q2,ty., pi{t) = pi{t'). Then, 
{q,ti,t2,e, Ei) is called a DC4-violating tuple. 




This definition suggests the way to overcome the violation of DC A, as stated in the following 
lemma. 

Lemma 6: Any DC4-violating tuple {q,ti,t2, e, Ei) is overcome, when: 

1) e is excluded from Ei, (eligible, if it is passive in Ei and its exclusion respects EFl—EFA), 
or 

2) if 3e' e (ti U t2)\{ti n t2), e' is included in E^; otherwise, ei G ti and 62 G t2, such 
that ei 7^ 62, are included in E^. In these cases, {e'jE'j} and {{ei, 62}, -Ei} are called 
DC4-enforcing tuples. 

Proof: See the proof in the Appendix. ■ 
Following examples illustrate the methods in Lemma [6] to enforce DC A. 
Example 7: This example shows an automaton that is undecompo sable due to a violation in 
DCA, while DCA can be enforced using both methods: event exclusion as well as event in- 
clusion. Consider the task automaton Ag: ^ • ^ • " ^ • ^ ^ « ^'^ ^ « with Ei = 



{0,6,61,63}, E2 = {0,6,62}, 2 e snda,bil), 1 ^ snda,b{2), leading to Pi{As): 
. . ^ . ^ . ^ . , P2{Asy. . . ^ . ^ . ^ . , and 



a ^ . : 

2 



II P^i^As) = ^ • ^ • ^ • *- • ^ • which is not bisimilar to As, due to 
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violation of DCA as there does not exist a deterministic automaton Pgl^s) such that Pgl^s) — 
P2{As). Here, (go, h = 61, ^2 = a, E2) is a DC4-violating tuple. Since a is passive in E2 and 
its exclusion from E2 keeps EFl-EFA valid, according to Lemma [6l one way to enforce DCA 

is exclusion of a from £"2, resulting in E2 = {6,62}, P2{As): ^ • ^ « « and 

P,{As)\\P2{As) = As. 

Another suggestion of Lemma [6] to overcome the _DC4-violating tuple {qo,ti = 61,^2 = 
e,a,E2) is addition of a communication link to prevent the nondeterminism in P2{As). Since 
there exists 61 that appears before a in ti only, inclusion of 61 in E2 also enforces DCA as with 
new ^2 = {0,6,61,62}, P2(^s): ^ • ^ • ^ • • and || Pi(A5) = As. For 

i=l 



the cases that there does not exist an event b that appears before a in only one of the strings ti 
or t2, according to Lemma [6l one needs to attach one event from each of two strings ti and ^2 in 



Ei. For instance consider the DC4-violating tuple (ti = 616365,^2 = 656361, a, £'2) in Example 
m with no event that appears before a in (ti U t2)\(ii H 12). In that case {61 G ti, 65 G ^2} can 
be included in E2 to make As decomposable, as it was shown in Example [6l 

Example 8: Example |7] showed a violation of DC A that could be overcome using both method 
in Lemma |6l namely, by link deletion and link addition. In Example |7l event a was a passive 
shared event whose exclusion from E2 respected EFl-EFA, otherwise it was not allowed to 
be excluded. If the task automaton was ^ « ^ « " ^ « ^'^ ^ « .- « with Ei = 



63 



{0,6,61,63}, E2 = {0,6,62}, then DCA could not be enforced by exclusion of a from E2, 
as EF2 was violated since after this exclusion, no agent can handle the decision making on 
the order of a and 62. Another constraint for link deletion is the passivity of the event. For 
example, consider A'^: ^ « . « with Ei = {61, a}, E2 = {62,64, a}. 



ei 

A'g is not decomposable due to violation of DC A in Pi{As): ^ • ^ • " ^ « . The 

nondeterminism in Pi(As), and accordingly the DC4-violating tuple {qo,€,62,6i,Ei), cannot 
be removed by event exclusion since it occurs on 61 that is not a shared event. To enforce DCA 
according to Lemma [6l 62 is required to be included into Ei that makes A'g decomposable. 

Another important issue for addition of communication link to enforce DCA is that establishing 
new communication link may lead to new violations of DCS or DCA, as it is shown in the 
following example. 

Example 9: Assume the task automaton in Example |7] had a part as shown in he left hand 
side of the initial state in ^45: 

• ^ • ^ • ^ • ^ • ^ • ^ • ^ • ^ • With El = {a, b, c, d, 61, 63, 



63 

65}, E2 = {a, 6, c, (i, 62}. Identical to Example |7l (go,^i = ei,t2 = 0,-^2) is a DC4-violating 
tuple and can be overcome by excluding a from E2, removing the nondeterminism on a in 
P2{As). However, unlike Example|7l including 61 into E2 (i.e., E2 = {a, b, c, d, 61, 62}), leads to a 
new violation of DCA in P2{As): . . . • • . . . , 



with a DC4-violating tuple {S{qo, c), 65, e, ei, E2), that in turn requires attachment of 65 to E2, 
in order to enforce DC A. 

If in this example, the order of 62 and b was reverse, i.e., the task automaton was A'^: 
• ^ • ^ • • ^ • *- • ^ • • • With El = {a, b, c, d, d, 63, 



ei 



65}, E2 = {a, b, c, d, 62}. Then as it was shown in Example[8l the DC4-violating tuple (go, ei,e, 
a, E2) could not be dealt with exclusion of a from E2, due to EF2, neither by inclusion of 
ei into E2 (since as mentioned above, it generates a new violation of DCA that consequently 
requires another inclusion of 65 into E2 to satisfy DCA). 

Remark 4: Both Lemmas [5] and [6] provide sufficient conditions for resolving the violations 
of Dd and DCA, respectively. They do not however provide the necessary solutions, neither 
the optimal solutions, as illustrated in the following example. We will show that for DCi and 
DCA, in general one requires to search exhaustively to find the optimal sequence of enforcing 
tuples, to have minimum number of link additions. In this sense, instead of exhaustive search 
for optimal solution, it is reasonable to introduce sufficient conditions to provide a trackable 
procedure for a feasible solution to make an automaton decomposable. 

Example 10: Consider a task automaton As: 

66 b £5 £7 £5 £3 a £2 



£1 £1 



£8 b £1 £5 £5 £1 a £4 
i • ^ • ^ • • ^7 £3 # ^ • ^ • ^ • : 



with local event sets Ei = {a, 6, c, ei, 63, 65, 67} and E2 = {a, 6, c, 62, 64, ee, eg}. As is undecom- 
posable due to Z^CS-violating tuples (616563062, 636561064, a, Ei, E2) and (616765665, 676561663, 
a. El, E2) and DC4-violating tuples (go, 616563, 636561, a, E2) and ((5(go, c), 616765, 676561, 6, E2). 
According to Lemmas [5] and [6l two enforcing tuples {{61, 63}, -E2} and {{61, 67}, £'2} remove all 
violations of Dd and DCA. However, this solution is not unique, nor optimal, as the enforcing 
tuple {{61, 65}, £'2} enforced DC3 and DCA with minimum number of added communication 
links. 



E. Exhaustive search for optimal decompozabilization 

Another difficulty is that enforcing the decomposability conditions using link deletion is limited 
to passivity and EFl-EFA, and after deletions of redundant links (that are passive and their 



deletion respect EFl-EFA), the only way to make the automaton decomposable is to establish 
new communication links. Addition of new links, on the other hand, may lead to new violations 
of Dd or DC A (as illustrated in Examples [5] and |9l), and in turn may introduce new violations. 
It means that, in general, resolution of decomposability conditions can dynamically result in new 
violations of decomposability conditions, as it is elaborated in the following example. 
Example 11: Consider the task automaton As'. 

d_ J2 ^-^j^ ^^^^^ ^^^^^ ^^^^ 



62 64 f 



62 



I ei 



62 63 65 

El = {a,b,c,d, f,g, 61,63,65} and E2 = {a,h,c,d, f ,g, 62, 6^,6^^,6^,610, 612}. This automaton 
is undecomposable due to Z}C2-violating event pairs {(61,62), (62,63)} with the corresponding 
enforcing tuples {61, E2}, {63, £'2} and {62, -Ei} and with the following possible sequences: 

1) {6i,i?2}; {63,-^2}: in this case As becomes decomposable, without emerging new viola- 
tions of decomposability conditions; 

2) {61, E2}; {62, -El}; {{64, 65}, -El}; {6^,Ei}: if after including 61 in E2, 62 is included in 
El, then two -DC4-violating tuples (5(go; ci)-,^-, ^4, 62, Ei) and {5{qQ, e), e, 65, 62, Ei) emerge 
that in turn require {64, 66} to be attached to Ei. Inclusion of 64 in Ei, on the other hand, 
introduces another -DC4-violating tuple ((5(go, f)-,^-, 68, 64, Ei) that calls for attachment of 
68 to Ei\ similarly 

3) {63,^2}; {ei,^2}; 

4) {63,^2}; {62, El}; {{64,66},£^i}; {6&,Ei}, and 

5) {62,E;i}; {{64,66},^l}; {68,E;i}. 

In this example, the first and the third sequences, i.e., {{61, 63}, -^2} gives the optimal choice 
with minimum number of added communication links, although initially {62, -Ei} sought to offer 
the optimal solution. 

Therefore, in general an optimal solution to Problem [T] will be obtained through an exhaustive 
search, using Lemmas |4l [5] and [6l as state in the following algorithm. 
Algorithm 2: 

1) For any local event set, exclude any passive event whose exclusion respects EFl-EFA; 

2) identify all -DCl&2-violating tuples, -DC3 -violating tuples and -DC4- violating tuples and 



their respective enforcing tuples; 

3) among all enforcing tuples, find the one that corresponds to the most violating tuples; 

4) if applying of the enforcing tuples with maximum number of violating tuples, does not 
impose new violations of DCS or DCA, then apply it, go to Step 3 and continue until 
there is no violating tuples; otherwise, do the exhaustive search to find the sequence of 
link additions with minimum number of added links. 

5) end. 

Lemma 7: Consider a deterministic task automaton As with local event sets Ei such that 

n 

E = U Ei. If As is. not decomposable with respect to parallel composition and natural projections 

i=l 

Pi, i = l,...,n. Algorithm [2l optimally makes As decomposable, with minimum number of 
communication links. 

Proof: See the proof in the Attachment. ■ 
Remark 5: (Special case: Automata with mutual exclusive branches) When branches of As 
share no events (i.e. Vg G Q, s, s' E E*, 6{q, s)\, 5{q, s')\, s it s' , s' it s: s (1 s' = 0), due to 
definition of DCS and DC A in Lemma [i|DC3 and DCA are trivially satisfied, and moreover, 
since branches from any state share no event, then Algorithm [2] is reduced to Algorithm \T\ 

F. Feasible solution for task decomposabilization 

As Example \TT\ showed that, in general, additions of communication links may successively 
introduce new violations of decomposability conditions, for which new links should be estab- 
lished. Therefore, in general an optimal solution to Problem \T\ requires an exhaustive search, 
using Lemmas |4l \5\ and |6l Moreover, checking of DCS and DCA is a nontrivial task, while 
it has to be accomplished initially as well as upon each link addition. It would be therefore 
very tractable if we can define a procedure to make DCS and DCA satisfied, without their 
examination. Following result takes an automaton whose DCl and DC2 are made satisfied 
using Algorithm [H and proposes a sufficient condition to fulfill DCS and DCA. 

Lemma 8: Consider a deterministic automaton As, satisfying DCl and DC2. As satisfies 
DCS and DCA if following steps are accomplished on As'. 

1) Vsi,S2 e E*, Si it S2, S2 it Si, q,qi,q2 G Q, 5{q,Si) = qi ^ 5{q,S2) = q2, [$ei,e2 G 
E,eie2 ^ si, 6261 ^ S2, Vt G E*, 6{q,eie2t)\ ^ 6261^)!], 3e G Si n S2,, then 
Vz G /oc(e), Ve' G {ei ^ ti, 62 ^ ^2}, e' appears before e, include e' in Ei. 



2) go to Step 1 and continue until Vsi,S2 G E*, si ^ S2, S2 'jt Si, q,qi,q2 G Q, 6{q,si) = 
qi ^{q^ ^2) = q2, 3e G sins2, [^ei, 62 G E, 6162 ^ si, 6261 ^ S2, Vt G -E*, 6162^)! ^ 
5{q, 6261^)!], then Vz G Zoc(e), -Ej contains the first events of Si and S2, that appear before 
e. 

Proof: See the proof in the Attachment. ■ 
Remark 6: The condition in Lemma [8] intuitively means that for any two strings si, S2 from 
any state q, sharing an event e, all agents who know this event e will be able to distinguish two 
strings, if they know the first event of each string. The ability of those agents that know this 
event e to distinguish strings si and S2, prevents illegal interleavings (to enforce DCS) and local 
nondeterminism (to satisfy DC A). The significance of this condition is that it does not require to 
check DCS and DC A, instead provides a tractable (but more conservative) procedure to enforce 
DCS and DCA. The expression si ^ S2, S2 ^ si in the lemma, is to exclude the pairs of strings 
that one of them is a substring of the other, as their language product does not exceed from 
the strings of As, provided DCl and DC2. Moreover, the expression [$61,62 G E,6i62 ^ Si, 
6261 ^ S2, Vt G E*, 6{q, 6i62t)\ 6{q, 6261^)!] in this lemma excludes the pairs of strings 6162^ 
and 6261^ from any q E Q that have been already checked using DCl and DC2 and do not 
form illegal interleaving strings, and hance, do not need to include ei in the local event sets of 
62 and vice versa (see Example [T2)) . 

Combination of Lemmas |4] and [8] leads to the following algorithm as a sufficient condition 
to make a deterministic task automaton decomposable. Following algorithm uses Lemma H] to 
enforce DCl and DC2 followed by Lemma [8] to overcome the violations of DCS and DCA. 
Algorithm 3: 

1) For a deterministic automaton As, with local event sets Ei, i = 1, . . . ,n, \/Ei G {Ei, . . . , En], 
E^ = Ei\{6 G Ei\6 is passive in E^ and exclusion of e from Ei does not violate EFl- 
EFA}; 

2) form the DC1&2- Violating graph ; set V°{As) = ViAs); W°{As) = WiAs); G°{As) = 

{w{As),j:y, k=i; 

3) Among all events in the nodes in W^''^{As), find e with the maximum \ Wl:''^{As, E^^^)\, 
for all Et' G {E'[-\ . . . , E^-^}; 

4) E^ = E^~^ U {e}; and delete all edges from e to ; 

5) update W^{As,Ei) for all nodes of CiAs); 



6) set A; = A; + 1 and go to step (3); 

7) continue, until there exist no edges. 

8) Vsi,S2 e E*, Si it S2, S2 it Si, q,qi,q2 G Q, S{q,Si) = qi ^ Sa) = q2, [$ei,e2 E 
E,eie2 ^ si, 6261 ^ S2, Vt G E*, 5{q,eie2t)\ eaCit)!], 3e G si fl S2, then Vz G 
Zoc(e), Ve' G {ci ^ ^1,62 ^ ^2}, e' appears before e, include e' in Ei. 

9) go to Step 1 and continue until Vsi,S2 G E*, si it S2, S2 it si, g,gi,g2 G Q, S{q,si) = 
qi ^ 6{q, S2) = q2, 3e G Sins2, [^ei, 62 G -E, 6162 ^ Si, 6261 ^ S2, Vt G E*, 5{q, eie2t)\ ^ 
6{q, 6261^)!], then \/i E loc{e), E^ contains the first events of Si and S2, that appear before 
e. 

Based on this formulation, a solution to Problem \T\ is given as the following theorem. 
Theorem 1: Consider a deterministic task automaton As with local event sets Ei such that E = 

n 

U If is not decomposable with respect to parallel composition and natural projections Pj, 

1=1 

i = 1, ...,n. Algorithm [3] makes As decomposable. Moreover, if after Step 7, DCS and DCA are 
satisfied, then the algorithm makes As decomposable, with minimum number of communication 
links. 

Proof: After excluding the redundant shared events in the first step, the algorithm enforces 
DCl and DC2 in Steps 2 to 7, according to Lemma |4] and deals with DCS and DCA in Steps 
8 and 9, based on Lemma [8l ■ 

Remark 7: If after Step 7, no violation of DCS or DCA is reported in the automaton, then 
^5 is made decomposable with minimum number of added communication links; otherwise, the 
optimal solution can be obtained through exhaustive search by examining the number of added 
links for any possible sequence of enforcing tuples, using Lemmas |5] and [6l as it was presented 
in Lemma Ul To avoid the exhaustive search the algorithm provides a sufficient condition to 
enforce DCS and DC A in Steps 8 and 9, according to Lemma [8l The algorithm terminates, due 
to finite number of states and events, and the fact that at the worst case, when all events are 
shared among all agents, the task automaton is trivially decomposable. 

Example 12: Consider a task automaton 



with local event sets Ei = {a, b, c, d, f, ei, 63, 65, 67, eg, en} and £'2 = {«, c, rf, /, 62, e^, cq, eg, 
6105612}, with the communication pattern 2 G s?7,(ia,6,c,d(l) and no more communication links. 
This task automaton is not decomposable, due to the set of DCl&2-violating tuples {ei,e2}, 
{ei,e4}, {62,63}, {e2,e5}, {e3,e4}, {64,65}, DCS-violating tuples (enadeio, aeyee, a, -Ei, ^2), 
(eiiadeio, a6Q6j,a, Ei, E2), {6iiaeiQd,aej6Q,a, Ei, E2), {6iia6iod,aeQ6i,a, Ei, E2) and DCA- 
violating tuple (go, en, e, a, E2). There is also one event d that is redundantly shared with E2 as 
d is passive in E2 and its exclusion respects EF\-EFA. Therefore, at the first step, the algorithm 
excludes d from E2. 

Next step is to construct the iI)Cl&2- Violating graph and remove its edges by sharing one node 
from each edge. The set of L'C1&2- Violating event pair is obtained as V'^{As) = {{ei, e2}, {ei, 64}, 
{62,63}, {e2,e5}, {e3,e4}, {e4,e5}} with W^{As) = {61,62,63,64,65}. It can be seen that the 
private events d, cq, 67, 6s, eg, eio, en, ei2, and shared events a, 6, c, / are not included in W'^{As) 
as they have no contribution in violation of DCl and DC2. The CI &2- Violating graph is 
shown in Figure Ha). 

The maximum \Wl!^~^{As, Ef~^)\ is formed by {62,64} with respect to Ei (here, since the 
system has only two local event sets \Wl^~^{As, Ef~^)\ coincides to the valency of e in the 
graph). Marking e2, including it to Ei (Ej = {a,b, c, d, 61, 63, 65, 67, 6g, 6n, 62}) and removing 
its incident edges to Ei and updating the \W^{As, E^)\ (valencies) are shown in Figure Hfb). 
The next step will include e4 in Ei (Ef = {a,b, c, d, ei, 63, 65, 67, 6g, 6u, 62, 64}) with the 
highest |H^g'^(yl5, E^) \ and removing its incident edges to Ei and updating the [^^^'^(As, E^)\ will 
accomplish enforcing of DCl and DC2 upon Step 7, as it is illustrated in Figure |4](c). If from 
the first stage e4 was chosen instead of e2, the procedure was similarly performed as depicted 
in Figures |4] (d) and (e), resulting the same set of private events {62,64} to be shared with 
El. Inclusion of e2 in Ei, however, introduces a new £'C4-violating tuple {6{qo, b),e, eg, e2, Ei) 




(d) (e) 



Fig. 4. Illustration of enforcing DCl and DC2 in Example 1121 using Algorithm [3] 

that will be automatically overcome in Step 8 by sharing eg G Si = 6862612 (as si = 6362612 
together with S2 = 62C69 evolve from S{qo,b), sharing 62 G si fl S2) in all local event sets of 
62, i.e., by including 68 into Ei. Similarly, inclusion of 611 in E2 overcomes DC4-violating 
tuple (go, eii, e, a, E2). It is worth noting that the expression "^6i, 62 G E, 6162 ^ Si, 6261 ^ S2, 
Vt G E*, 5(g, 6162^)! 5(g,626it)!" in Step 8 prevents unnecessary inclusion of 610 in Ei 
as well as 67 in E2 and cq in Ei (cq and 67 satisfy DC1-DC2 and 610 and d satisfy EFl- 
EF2). The algorithm terminates in this stages, leading to decomposability of As, with Ef = 
{a, 6, c, d, 61, 63, 65, 67, 69, 611, 62, 64, 68}, -Ef = E2, El = {a, 6, c, 62, 64, 66, 68, 610, 611, 612}. 

IV. CONCLUSIONS 

The paper proposed a method for task automaton decomposabilization, applicable in top- 
down cooperative control of distributed discrete event systems. This result is a continuation of 
our previous works on task automaton decomposition [|T9l . [|20l . and fault-tolerant cooperative 
tasking [|2T|. and investigates the follow-up question to understand that how an originally un- 
decomposable task automaton can be made decomposable, by modifying the event distribution 
among the agents. 

First, using the decomposability conditions the sources of undecomposability are identified 
and then a procedure was proposed to establish new communication links in order to enforce 



the decompos ability conditions. To avoid the exhaustive search and the difficulty of checking 
of decomposability conditions in each step, a feasible solution was proposed as a sufficient 
condition that can make any deterministic task automaton decomposable. 



V. APPENDIX 

A. Proof of Lemma |4] 

Following lemma will be used during the proof. 

Lemma 9: Consider two non-increasing chains a^, bi, i = I, ■■.,N, such that ai > 02 > ••• > 

N N 

Oat > 0, 61 > 62 > ••• > ^AT > 0. Then S < S 6j implies that 3k G {1,...,A^} such that 

i=l i=l 

ak < bk. 

N N 

Proof: Suppose by contradiction that S < S 6j, but, $k E {1, A^} such that < b^. 

i=l i=l 

Then, VA; G {1,...,A^} : ak > bk- Therefore, since ak,bk > 0,VA; G {1,...,A^}, it results in 

N N 

S ttj > E 6i which contradicts to the hypothesis, and the proof is followed. ■ 

i=l i=l 

Now, we prove Lemma |4] as follows. In each iteration k for the event e and local event set 
Ei with maximum \W^^^{As, E^^^)\, all edges from e to Ei are deleted. Denoting the set of 
deleted edges in k — th iterations by AS'^, in each iteration k, some elements of S'^^^ are moved 
into AS'^ until after K iterations, there is no more elements in to be moved into a new set. 
This iterative procedure leads to a partitioning of S by {AE'^j^p as {AS'^} fl {AS'} = 0, 
Vfc, / = {!,..., K}, k^l and U AS'^ = S. The latter equality leads to 



E lAE'^l = |E| (1) 



Now, we want to prove that 



AE'^I = lAE'^U^,, Vfc G {1, K}^K = (2) 



Here, K is the total number of iterations that is also equal to the number of added com- 
munication links to remove violations of DCl and DC2. In this sense, K is desired to be 
minimized. 

The proof of ^ is by contradiction as follows. Suppose that |AE'^| = [AE'^lmaxj VA; G 
{1,...,K}, but, K 7^ Kmin, i-e., there exists another partitioning {A'E'^}^]^, with K' < K 



partitions, leading to 

K' 

E lA'E'^l = |E| (3) 

k=l 

In this case, from ([T]) and Q, we have 

K ^ K' ^ K , K' ^ 

E lAE^I = E IAE'^I + E IAE'^I = E lA'E^^I. (4) 

k=l k=l k=K'+l k=l 

K 

Since lAE'^l > 0, Vfc G |1, K], then E lAE'^l > 0, then, © results in 

k=K'+l 
K' , K' 

E lAE'^l < E lA'E'^l. (5) 

k=l k=l 

Moreover, since lAE''] > 0, lA'E''] > 0, VA; G {1,...,K}, then © together with Lemma |9] 
imply that 3k G {1,...,K'} C {1,...,K}, i.e., jAE'^] < |A'E^|, i.e., 3k G {1,...,K} such that 
|AE^| 7^ lAE^Imai, which contradicts to the hypothesis, and hence, ^ is proven. Moreover, 
if automaton As has no violations of DCS and DC A before and during the iterations, then 
the algorithm make it decomposable with the minimum number of added communication links, 
since the problem of making decomposable is reduced to optimal enforcing of DCl and DC2. 

B. Proof for Lemma |5] 

For any Z^CS-violating tuple (si, S2, a, Ei, Ej), exclusion of a from Ei or Ej, excludes a from 
Ei n Ej, leading to pEiHEjisi) and PEinEj{si) do not start with a, and hence {si, S2, a, Ei, Ej) 
will no longer act as a DC3-violating tuple. 

For the second method in this lemma, firstly Vg G Q, Si, S2 G E*, 5{q, Si)\, 5{q, S2)!, PEtnEjisi) 
and PEinEjis2) start with a, such that {si, S2, a, E^, Ej) is a Z^CS-violating tuple, 3b G {Ei U 
Ej)\{Ei n Ej) such that b appears before a in si or S2 (since As is deterministic and PEiCiEj (si) 
and PE,nE,{s2) start with a). 

Two cases are possible, here: b appears in only one of the strings Si or S2; or 6 appears in 
both strings. If b appears before a in only of the strings, then without loss of generality, assume 
that b belongs to only si, and hence, 3g, gi, ^2, Q'l, Q'i & Qi^ Qj, (^1,(^2 G [{EiU Ej)\{Ein Ej)]* , 
uj[ G {Ei U Ej)*, a e EiC] Ej such that 5ij{q,uji) = q[, 5ij{q[,b) = q'{, 5ij{q'{,uj[) = qi, 
Sij{qi,a)\, 6ij{q,uj2) = q2, Sij{q2,a)\, where, 6ij is the transition relation in ^^(^5)! 1^,(^5). 
Now, due to synchronization constraint in parallel composition, inclusion of b in Eif] Ej means 



that i[q'l],y) and ix,[q'{]j) are accessible in Pi{As)\\Pj{As) only if y = [q'{]j and x = [q'l]i, 
respectively. This means that {[qi\i, [q2]j) and {[q2]i, [qi\j) are not accessible in Pi{As)\\Pj{As), 
and hence, Piisi)\pj{s2) and Pi{s2)\Pjisi) cannot evolve after a, and therefore, do not generate 
illegal strings out of the original strings, implying that (si, S2, a, Ei, Ej) will no longer remain 
a Z)C3-violating tuple. 

On the other hand, if b appears before a, in both strings si and S2, then 3q, qi, q2, q'l, q", q2, q'i ^ 
QiXQj,uJi,U2 e [{EiUEj)\{Eir}Ej)]*,u[,uj'2 G {EiUEjY,ae EiHEj such that Wi) = q[, 
kjWi^b) = q'l, 5i^j{q'l,uj[) = qi, 6ij{qi,a)\, 6ij{q,U2) = q2, ^i^M = '^i,i(?2.^2) = 
^i,j('?2, a)!, that leads to accessibility of {\q'i]i, [(^2]]) and ([ggli, [q'i]j) as well as {\qi\i, \q2\j) and 
([^2]?, [qi\j) in Pi{As)\\Pj{^s)^ that means that although (si, S2, a, Ei, Ej) is no longer a DC3- 
violating tuple, {si, S2,b, Ei, Ej) emerges as a new DC3-violating tuple. 

In this case (when $b G (Ei U Ej)\(Ei fl Ej) that appears before a in only one of the 
strings si or S2), instead of inclusion of b in EiD Ej, if two different events that appear before 
a in strings Pe,\je,{si) and Pe,\jEj{si) are attached to Ei fl Ej, it leads to 3g, gi, g2, gs, ^4 G 
Qi X Qj, wi, 0^2, ^2 G [(-Ej U Ej)\{Ei n Ej)]*, ei, 62, a G -Ej n such that 6ij{q, UiCi) = qi, 
6ij{qi,uj[) = q-s, 6ij{q3,a)\, Sij{q, 1^262) = q2, 5ij(g2,c^2) = 94, Sij{q4,a)\. Consequently, due 
to synchronization constraint in parallel composition, [q]j), i[q]i, [qi]j)^ [q]j) and 

felj), and hence, ([gg],, [^4]^) and ([^4]^, [ga]^) are not accessible in P,{As)\\Pj{As), i.e., 
no more violating tuples form on strings si and S2. 

C. Proof for Lemma |^ 

For any Z}C4-violating tuple {q,ti,t2, e, E^), with q,qi,q2 G Q, ti,t2 G {E\Ei)*, e G E^, 
6{q, ti) = qi 6{q, 12) = q2, exclusion of e from Ei leads to Pi{e) = e, and Pi{tie) = Pi{t2e) = e, 
[q]i = [5(gi,e)]j = [5(^2, e)],, and hence, (g, ti, ^2, e, will no longer behave as a DC^- 
violating tuple. However, it should be noted that it may cause another nondeterminism on an 
event after e, and this event exclusion is allowed only if e is passive in Ei and the exclusion 
does not violate EFl - EE A. 

For the second method, i.e., event inclusion, if 3e' G (ti U t2)\{ti fl ^2), then without loss 
of generality, assume that e' G ti\t2 such that 3g, gi, g2, g^, g" G Q, ^1,^2 G {E\Ei)* , e G -Ej, 
^(q^ti) = qi ^(q^h) = q2, ^{qi.e-') = q'l- in this case, inclusion of e' in Ei leads to Pi{tie) = 
e'e, while Pi{t2e) = e, and therefore, [gi]j = [g"]i 7^ [g2]j, i.e., in Pj(y45), ti and t2 will no 



longer cause a nondeterminism on e from q, and accordingly, {q,ti,t2,e, Ei) will not remain a 
^(74- violating tuple. 

If however $e' E (ti Ut2)\(^i nt2), i-C-, Ve' G (tiUt2), e' G (tint2), then inclusion of any such 
e' generates a DC4-violating tuple {q,ti,t2, e' , Ei). In this case, Lemma [6] suggests to take two 
different events that appear before e, one from ti and the other from t2, and include them into 
Ei such that 3q, qi, q2, q[, q2, q'l, q2 G Q, Ci G ^1,62 G t2, Ci 7^ 62, 5{q,ti) = qi ^ 5(^,^2) = ^2, 
6{q[, ei) = g^, 5(^2, 62) = ^2- Thus, including ei and 62 in results in Pi(ti) = ei, Pi{t2) = 62, 
Hkh^hV- = [<li]i ^ = [q2]i, meaning that (g, ti, ta, e, ^i) is not a L'C4-violating 

tuple anymore. 

D. Proof for Lemma [7| 

The algorithm starts with excluding events from local event sets in which the events are passive 
and their exclusion do not violate EFl-EFA. From this stage onwards the decompos ability 
conditions are no longer allowed to be enforced by link deletion, whereas the algorithm removes 
the violations of decomposability conditions by establishing new communication links. Next, the 
algorithm applies violating tuples in the order of corresponding number of violating tuples. If 
no new violations of decomposability conditions emerge during conducting of enforcing tuples, 
then the algorithm decomposes the task automaton with minimum number of communication 
links, similar to the proof of Lemma HI since iterations partition the set of violating tuples, and 
applying of enforcing tuples (based on Lemmas HI [5] and (6]) with maximum number of violating 
tuples in each iteration gives maximum number of resolutions per link addition that leads to 
the minimum number of added communication links. The algorithm will terminate due to finite 
number of states and events and at the worst case all events are shared among all agents to make 
the automaton decomposable. 

E. Proof for Lemma |^ 

Denoting the expression , "V-Ej, Ej G {Ei, . . . , En}, i j, a e Eif] Ej, s = tiat[, s' = ^2^^, 

n 

PE,nE,{ti) = PE.nE.ih) = as A, and the expression "5(go, | Pi (si))! for any V{si, ■ ■ ■ , s„} C 

i=l 

L(As), s,s' G {si, ■ ■ ■ , as B, the condition DC3 can be written as A ^ B. Now, if 

Vsi, S2 G E*, Si it S2, S2 it Si, q, qi, q2 G Q, S{q, Si) = qi ^ 5{q, S2) = q2, [$ei, 62 G E, 6162 ^ 
si, 6261 ^ S2, Vt G E*, 6{q, 6162^)! 6{q, 6261^)!], 3e G Sins2, any e' G {ei ^ ti, 62 ^ ^2}, such 



that e' appears before e, is included in Ej, Vi G loc{e), it follows that V-Ej, E'j G {-Ei, . . . , En}, 
i ^ j, a e Eif] Ej, s = tiat[, s' = 1201'^, 6{qo, s)\ ^ 6{qo, s')\, a E sf] s', then the first event of 
ti and t2 belong to Ei fl Ej, i.e., A (the antecedent of DCS) becomes false, and hence, A ^ B 
( DC3 ) holds true. Therefore, the procedure in Lemma [8] gives a sufficient conditions to make 
DCS always true. 

It is similarly a sufficient condition for DCA as follows. Let the expressions "V? G {1, . . . , n}, 
X, xi,X2 G Qi, e e Ei,t e E*, 6{x, e) = xi 6{x, e) = X2" and "Vt G -E* : 6{xi,t)\ ^ 6{x2, t)!" 
to be denoted as C and D, respectively. In this case, DCA can be expressed as C ^ -D. Then, 
for a deterministic automaton As, if Vsi,S2 G E*, si it S2, S2 ^ si, g,gi,g2 ^ '^(o'?*!) = 
qi ^ S{q,S2) = q2, [$ei,e2 G E,eie2 ^ Si, 6261 ^ S2, Vt G E*, 6162^)! 6261^)!], 
3e G Si n S2, the first event of si and S2 are included in all local event sets that contain e, 
it results in -iC(i.e., the antecedent of DCA becomes false, and consequently, DCA becomes 
always true), since in such case \/Ei G {Ei, . . . , En}, ti,t2 £ E*, q,qi,q2 E Q, e E Ei, 
5{q,tie) = qi^ 5{q,t2e) = q2, then ->[pi(ti) = Pi{t2) = e]- 

Expression "[^61,62 G E, 6162 ^ si, 6261 ^ S2, Vt G E*, 5{q,eie2t)\ 5{q, e2eit)\]'\ in 
Lemma [8] is to exclude those pairs of strings si and S2 that start with 6162 and 6261, respectively, 
as they have been already checked with DCl and DC2 and their interleaving does not impose 
illegal strings. 
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